Modify sigalgs extension processing to accomodate TLS 1.3.

- Make a separate sigalgs list for TLS 1.3 including only modern
algorithm choices which we use when the handshake will not negotiate
TLS 1.2.
- Modify the legacy sigalgs for TLS 1.2 to include the RSA PSS algorithms as
mandated by RFC8446 when the handshake will permit negotiation of TLS 1.2
from a 1.3 handshake.
ok jsing@ tb@

6 files changed, 65 insertions, 15 deletions

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 26755d7c03..e9e900b643 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.54 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.55 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1680,7 +1680,8 @@ ssl3_get_certificate_request(SSL *s)
                         SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
                         goto err;
                 }
-                if (!tls1_process_sigalgs(s, &sigalgs)) {
+                if (!tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+                    tls12_sigalgs_len)) {
                         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                         SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
                         goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 7fd155648c..8447484ec7 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.230 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.231 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1313,7 +1313,7 @@ int tls1_process_ticket(SSL *s, const unsigned char *session_id,
     int session_id_len, CBS *ext_block, SSL_SESSION **ret);
 
 long ssl_get_algorithm2(SSL *s);
-int tls1_process_sigalgs(SSL *s, CBS *cbs);
+int tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *, size_t);
 
 int tls1_check_ec_server_key(SSL *s);
 
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 182ea1edaa..041e940d8e 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,6 +1,6 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.13 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.14 2019/01/23 18:39:28 beck Exp $ */
 /*
- * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -163,13 +163,30 @@ const struct ssl_sigalg sigalgs[] = {
         },
 };
 
+/* Sigalgs for tls 1.3, in preference order, */
+uint16_t tls13_sigalgs[] = {
+        SIGALG_RSA_PSS_RSAE_SHA512,
+        SIGALG_RSA_PKCS1_SHA512,
+        SIGALG_ECDSA_SECP512R1_SHA512,
+        SIGALG_RSA_PSS_RSAE_SHA384,
+        SIGALG_RSA_PKCS1_SHA384,
+        SIGALG_ECDSA_SECP384R1_SHA384,
+        SIGALG_RSA_PSS_RSAE_SHA256,
+        SIGALG_RSA_PKCS1_SHA256,
+        SIGALG_ECDSA_SECP256R1_SHA256,
+};
+size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
+
 /* Sigalgs for tls 1.2, in preference order, */
 uint16_t tls12_sigalgs[] = {
+        SIGALG_RSA_PSS_RSAE_SHA512,
         SIGALG_RSA_PKCS1_SHA512,
         SIGALG_ECDSA_SECP512R1_SHA512,
         SIGALG_GOSTR12_512_STREEBOG_512,
+        SIGALG_RSA_PSS_RSAE_SHA384,
         SIGALG_RSA_PKCS1_SHA384,
         SIGALG_ECDSA_SECP384R1_SHA384,
+        SIGALG_RSA_PSS_RSAE_SHA256,
         SIGALG_RSA_PKCS1_SHA256,
         SIGALG_ECDSA_SECP256R1_SHA256,
         SIGALG_GOSTR12_256_STREEBOG_256,
diff --git a/src/lib/libssl/ssl_sigalgs.h b/src/lib/libssl/ssl_sigalgs.h
index a45700389b..0bc7322e17 100644
--- a/src/lib/libssl/ssl_sigalgs.h
+++ b/src/lib/libssl/ssl_sigalgs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.h,v 1.10 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.h,v 1.11 2019/01/23 18:39:28 beck Exp $ */
 /*
  * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
  *
@@ -71,6 +71,8 @@ struct ssl_sigalg{
 
 extern uint16_t tls12_sigalgs[];
 extern size_t tls12_sigalgs_len;
+extern uint16_t tls13_sigalgs[];
+extern size_t tls13_sigalgs_len;
 
 const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg);
 const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index d5c30c4e73..2214a61ed3 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.33 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.34 2019/01/23 18:39:28 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -536,8 +536,27 @@ tlsext_sigalgs_client_build(SSL *s, CBB *cbb)
         if (!CBB_add_u16_length_prefixed(cbb, &sigalgs))
                 return 0;
 
-        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+        switch (TLS1_get_client_version(s)) {
+        case TLS1_2_VERSION:
+                if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len))
+                        return 0;
+                break;
+        case TLS1_3_VERSION:
+                if  (S3I(s)->hs_tls13.min_version < TLS1_3_VERSION) {
+                        if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs,
+                            tls12_sigalgs_len))
+                            return 0;
+                }
+                else {
+                        if (!ssl_sigalgs_build(&sigalgs, tls13_sigalgs,
+                            tls13_sigalgs_len))
+                            return 0;
+                }
+                break;
+        default:
+                /* Should not happen */
                 return 0;
+        }
 
         if (!CBB_flush(cbb))
                 return 0;
@@ -553,7 +572,18 @@ tlsext_sigalgs_server_parse(SSL *s, CBS *cbs, int *alert)
         if (!CBS_get_u16_length_prefixed(cbs, &sigalgs))
                 return 0;
 
-        return tls1_process_sigalgs(s, &sigalgs);
+        switch (s->version) {
+        case TLS1_3_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls13_sigalgs,
+                    tls13_sigalgs_len);
+        case TLS1_2_VERSION:
+                return tls1_process_sigalgs(s, &sigalgs, tls12_sigalgs,
+                    tls12_sigalgs_len);
+        default:
+                break;
+        }
+
+        return 0;
 }
 
 int
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index cde022939d..8986a0e755 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.152 2019/01/23 18:24:40 beck Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.153 2019/01/23 18:39:28 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1002,11 +1002,12 @@ tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 
 /* Set preferred digest for each key type */
 int
-tls1_process_sigalgs(SSL *s, CBS *cbs)
+tls1_process_sigalgs(SSL *s, CBS *cbs, uint16_t *sigalgs, size_t sigalgs_len)
 {
         CERT *c = s->cert;
 
         /* Extension ignored for inappropriate versions */
+        /* XXX get rid of this? */
         if (!SSL_USE_SIGALGS(s))
                 return 1;
 
@@ -1023,9 +1024,8 @@ tls1_process_sigalgs(SSL *s, CBS *cbs)
                 if (!CBS_get_u16(cbs, &sig_alg))
                         return 0;
 
-                if ((sigalg = ssl_sigalg(sig_alg, tls12_sigalgs,
-                    tls12_sigalgs_len)) != NULL &&
-                    c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
+                if ((sigalg = ssl_sigalg(sig_alg, sigalgs, sigalgs_len)) !=
+                    NULL && c->pkeys[sigalg->pkey_idx].sigalg == NULL) {
                         c->pkeys[sigalg->pkey_idx].sigalg = sigalg;
                         if (sigalg->pkey_idx == SSL_PKEY_RSA_SIGN)
                                 c->pkeys[SSL_PKEY_RSA_ENC].sigalg = sigalg;